use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class OpenAMOAuth2ProviderSettings method createRSAJWK.
private Map<String, Object> createRSAJWK(RSAPublicKey key, KeyUse use, String alg) throws ServerException {
String alias = null;
try {
alias = getStringSetting(realm, OAuth2Constants.OAuth2ProviderService.KEYSTORE_ALIAS);
} catch (SSOException | SMSException e) {
logger.error(e.getMessage());
throw new ServerException(e);
}
if (StringUtils.isBlank(alias)) {
logger.error("Alias of ID Token Signing Key not set.");
throw new ServerException("Alias of ID Token Signing Key not set.");
} else if ("test".equals(alias)) {
logger.warning("Alias of ID Token Signing Key should be changed from default, 'test'.");
}
String kid = Hash.hash(alias + key.getModulus().toString() + key.getPublicExponent().toString());
return json(object(field("kty", "RSA"), field(OAuth2Constants.JWTTokenParams.KEY_ID, kid), field("use", use.toString()), field("alg", alg), field("n", Base64url.encode(key.getModulus().toByteArray())), field("e", Base64url.encode(key.getPublicExponent().toByteArray())))).asMap();
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class EndSession method endSession.
/**
* Handles GET requests to the OpenId Connect end session endpoint for ending OpenId Connect user sessions.
*
* @return The OpenId Connect token of the session that has ended.
* @throws OAuth2RestletException If an error occurs whilst ending the users session.
*/
@Get
public Representation endSession() throws OAuth2RestletException {
final OAuth2Request request = requestFactory.create(getRequest());
final String idToken = request.getParameter(OAuth2Constants.Params.END_SESSION_ID_TOKEN_HINT);
final String redirectUri = request.getParameter(OAuth2Constants.Params.POST_LOGOUT_REDIRECT_URI);
try {
openIDConnectEndSession.endSession(idToken);
if (StringUtils.isNotEmpty(redirectUri)) {
return handleRedirect(request, idToken, redirectUri);
}
} catch (OAuth2Exception e) {
throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), null);
}
return null;
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class IdentityManager method getClientIdentity.
/**
* Gets a client's identity.
*
* @param clientName The client's name.
* @param realm The client's realm.
* @return The Clients identity.
* @throws UnauthorizedClientException If the client's identity cannot be found.
*/
public AMIdentity getClientIdentity(String clientName, String realm) throws UnauthorizedClientException {
final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
final AMIdentity amIdentity;
try {
final AMIdentityRepository amIdRepo = new AMIdentityRepository(token, realm);
final IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
idsc.setMaxResults(0);
final IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.AGENTONLY, clientName, idsc);
final Set<AMIdentity> results = searchResults.getSearchResults();
if (results == null || results.size() != 1) {
logger.error("No client profile or more than one profile found.");
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
amIdentity = results.iterator().next();
//if the client is deactivated return null
if (amIdentity.isActive()) {
return amIdentity;
} else {
return null;
}
} catch (Exception e) {
logger.error("Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class OpenAMClientDAO method read.
/**
* {@inheritDoc}
*/
public Client read(String clientId, OAuth2Request request) throws UnauthorizedClientException {
Map<String, Set<String>> clientAttributes = new HashMap<String, Set<String>>();
try {
AMIdentity theID = null;
final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
final String realm = request.getParameter(OAuth2Constants.Custom.REALM);
AMIdentityRepository repo = idRepoFactory.create(realm, token);
IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
Set<AMIdentity> results;
idsc.setMaxResults(0);
IdSearchResults searchResults = repo.searchIdentities(IdType.AGENTONLY, clientId, idsc);
results = searchResults.getSearchResults();
if (results == null || results.size() != 1) {
logger.error("OpenAMClientDAO.read(): No client profile or more than one profile found.");
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
theID = results.iterator().next();
//if the client is deactivated return null
if (!theID.isActive()) {
theID = null;
} else {
clientAttributes = theID.getAttributes();
}
} catch (UnauthorizedClientException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (SSOException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (IdRepoException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
Client client = createClient(clientAttributes);
client.setClientID(clientId);
return client;
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class IdTokenClaimGatherer method getRequestingPartyId.
@Override
public String getRequestingPartyId(OAuth2Request oAuth2Request, AccessToken authorizationApiToken, JsonValue claimToken) {
try {
SignedJwt idToken = jwtReconstruction.reconstructJwt(claimToken.asString(), SignedJwt.class);
OAuth2ProviderSettings oAuth2ProviderSettings = oauth2ProviderSettingsFactory.get(oAuth2Request);
OAuth2Uris oAuth2Uris = oAuth2UrisFactory.get(oAuth2Request);
byte[] clientSecret = clientRegistrationStore.get(authorizationApiToken.getClientId(), oAuth2Request).getClientSecret().getBytes(Utils.CHARSET);
KeyPair keyPair = oAuth2ProviderSettings.getServerKeyPair();
if (!idToken.getClaimsSet().getIssuer().equals(oAuth2Uris.getIssuer())) {
logger.warn("Issuer of id token, {0}, does not match issuer of authorization server, {1}.", idToken.getClaimsSet().getIssuer(), oAuth2Uris.getIssuer());
return null;
}
if (!verify(clientSecret, keyPair, idToken)) {
logger.warn("Signature of id token is invalid.");
return null;
}
return idToken.getClaimsSet().getSubject();
} catch (InvalidClientException e) {
logger.error("Failed to find client", e);
return null;
} catch (NotFoundException | ServerException e) {
logger.error("Failed to find OAuth2 settings", e);
return null;
}
}
Aggregations